FTC says Premom shared users’ highly sensitive reproductive health data: Can it get more personal than that?

Intimate facts about ovulation, fertility, and other sexual and reproductive health issues are about as personal as personal information can get. The FTC alleges that Easy Healthcare Corporation – the company behind the Premom Ovulation Tracker app – broke its privacy promises by disclosing users’ sensitive health data to Google and AppsFlyer and by sharing other personal information with two firms in China. The complaint, which alleges that Easy Healthcare violated the FTC Act and the Health Breach Notification Rule, is the latest action against a company for recklessly handling consumers’ sensitive information.

Defendant Easy Healthcare developed and distributed the Premom app, which allowed users to upload information about their menstrual cycles, reproductive health conditions, and other fertility-related data. The company also sold ovulation test strips that users could photograph and upload in an effort to predict when they would ovulate. Based on the company’s description that it was “the only fertility tracker and ovulation app that offers a pregnancy guarantee to help women who are trying to conceive (TTC) make their baby dreams come true,” hundreds of thousands of users downloaded the Premom app.

The defendant also encouraged users to connect Premom to third-party apps or products so Premom could import even more health information. As a result, Premom collected extensive sensitive data from consumers – for example, dates of their menstrual cycles, hormone test results, and even when their pregnancies started and ended.

According to the complaint, the defendant made multiple privacy assurances to consumers. For example, in a July 7, 2020, privacy policy, the defendant pledged:

WE PROMISE WE WILL NEVER SHARE YOUR EXACT AGE OR ANY DATA RELATED TO YOUR HEALTH WITH ANY THIRD PARTIES WITHOUT YOUR CONSENT OR KNOWLEDGE.

(Just to be clear, the all-caps format was Easy Healthcare’s choice, not ours.) A 2021 privacy policy said this: “Premom uses AppsFlyer, a mobile marketing platform based in the United States, to handle non-health Personal Data” and that “third party services do not have access to your health information through the Services unless you share that information directly with them.” Would people share all that highly sensitive information if they knew defendant’s privacy assurances were false? We don’t think so.

So that’s what the defendant promised, but the FTC says Easy Healthcare violated its own privacy representations. According to the lawsuit, the company built into the Premom app software development kits – SDKs – from third-party marketing and analytics firms without considering the stark discrepancy between the privacy promises the defendant made to users and how the SDKs in the app were operating behind the scenes to share users’ personal information. You’ll want to read the complaint for details, but the FTC says the company broke its promises by using SDKs in a way that shared that sensitive data with third parties.

Think of it from the consumer’s perspective. This was information so personal that some people may not have shared it with those closest to them – and yet the defendant turns around and hands it to Google and AppsFlyer? Really?

The FTC says the defendant’s betrayal of its privacy pledges didn’t end there. According to the complaint, Easy Healthcare also integrated SDKs from Umeng, a Chinese mobile app analytics provider owned by Alibaba, and Jiguang, a Chinese mobile developer and analytics provider. Through their SDKs, the Premom app turned over other sensitive data to those companies – for example, users’ social media account information and their precise geolocation. According to the complaint, Easy Healthcare did that despite telling consumers between 2017 and 2020 that it collected “nonidentifiable information for purposes of tracking analytics of the usage of [its] application.” Through Easy Healthcare’s use of third-party services, the FTC says that data can be traced back to a real person – rendering the defendant’s “nonidentifiable information” claim flat-out false.

The proposed settlement imposes an outright ban on the defendant’s sharing of users’ personal health data with third parties for advertising purposes. If the company wants to share health data for any other purpose, it must get users’ express consent. In addition to a $100,000 civil penalty for violating the Health Breach Notification Rule, the order requires – among other things – that the defendant seek the deletion of data it shared with third parties, contact users directly to tell them about the FTC’s allegations, and implement a comprehensive privacy and data security program subject to independent compliance assessment. As part of a related action, Easy Healthcare also has agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective state laws.

The proposed settlement sends some strong signals to anyone in the information ecosystem.

The FTC couldn’t be more serious about protecting consumers’ privacy.  Have you noticed an enforcement uptick against companies that violate consumers’ privacy through unfair or deceptive conduct? Good. That’s a message the FTC intends to send to app developers, the advertising technology industry, and anyone that attempts to exploit consumers’ privacy for profit.

Undertake a Health Breach Notification Rule refresher.  This is the FTC’s second case in just a few months alleging a violation of the Health Breach Notification Rule. The Rule requires covered companies to notify users, the FTC, and in some cases the media, whenever there is the unauthorized acquisition of unsecured individually identifiable health information. Read Complying with FTC’s Health Breach Notification Rule to see how your company’s practices measure up.

Set the standard for non-resettable device identifiers.  This is the FTC’s first case specifically alleging that non-resettable device identifiers (like International Mobile Equipment Identity numbers) are identifiable information, and therefore highly sensitive in nature. Premom’s collection and sharing of these and other mobile device identifiers allowed third parties to circumvent operating systems’ privacy controls, track individuals, infer the identity of individual users, and ultimately associate that user with a fertility app.

Consider the implications of lax data security.  The complaint lists a number of ways in which Easy Healthcare didn’t employ reasonable privacy and data security measures, including its failure to assess the risks of third-party SDKs it incorporated into Premom. One particular concern in this case: that consumers are injured when their sensitive information is sent together with a decryption key to third parties, subjecting the data to potential interception.